Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security Standards and Threat Evaluation Main Topic of Discussion Methodologies Standards Frameworks Measuring threats – Threat evaluation – Certification and accreditation IT Governance A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. C&A The certification and accreditation (C&A) process focuses on federal IT systems processing, storing, and transmitting sensitive information, the associated tasks and subtasks, security controls, and verification techniques and procedures, have been broadly defined so as to be universally applicable to all types of IT systems, including national security or intelligence systems, if so directed by appropriate authorities. Standards in Assessing Risk Need a way to measure risk consistently Need to cover multiple geographies Needs to scale Newly forming Teaching Methodologies A Body of Practices, procedures and rules used by those who engage in an inquiry Can include multiple frameworks Overall approach used to measure something Repeatable Utilizes standards Standards Something that is widely recognized or employed, especially because of its excellence An acknowledged measure of comparison for qualitative or quantitative value Many different types of standards- even for the same elements needing to be measured Framework A set of assumptions, concepts, values and practices that constitutes a way of viewing reality Building block for crafting approach Encapsulates elements for performing a task Acts as a guide- details can be plugged in for specific tasks Standards CoBit ISO17999 Common Criteria NIST COBIT www.isaca.org Control Objectives for Information and related Technology Framework, Standard or Good practice? Includes: – – – – Maturity models Critical Success factors Key Goal Indicators Key Performance Indicators COBIT COBIT is structured around four main fields of management implying 34 processes of management associated with information technology: 1. 2. 3. 4. Planning and organization Acquisition and implementation Delivery and Support Monitoring ISO17999 “A detailed security Standard” Ten major sections: – Business Continuity Planning – System Access Control – System Development and Maintenance – Physical and Environmental Security – Compliance – Personnel Security – Security organization – Computer and Network Management – Asset Classification – Security Policy ISO17999 Most widely recognized security standard Based on BS7799, last published in May 1999 Comprehensive security control objectives UK based standard SSECMM CIA Triad Defines the “triad” as the following items: Confidentiality Integrity Availability Accountability Privacy Assurance Common Criteria Developed from TCSEC standard in 1980’s (Orange book) International Standard ISO took ITSEC (UK) TCSEC and CTCPEC (Canada) and combined them into CC (1996) NIAP – National Information Assurance Partnership – http://niap.nist.gov/ Common Criteria 11 Functionality Classes: – Audit – Cryptographic Support – Communications – User Data Protection – Identification and Authentication – Security Management – Privacy – TOE Security functions – Resource utilization – TOE Access – Trusted Paths Threat Approach Threat Evaluation Evaluation of level of threat to an asset Based on: – Visibility, inherent weakness, location, personal/business values Method: – Determine threats to assets (and their importance) – Determine cost of countermeasures – Implement countermeasures to reduce threat Threats Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome such as: – Business mission – Data (integrity, confidentiality, availability) Vulnerability Assessment Evaluation of weakness in asset Based on: – Known published weakness – Perceived / studied weakness – Assessed threats Method: – – – – Determined threats relevant to asset Determined vulnerability to those threats Determine vulnerability to theoretical threats Fortify / accept vulnerabilities